Merge remote-tracking branch 'origin/master'

# Conflicts:
#	use-cases/single-existing-cloudtrail.md

Author: iru

.github/workflows/ci-integration-tests.yaml

@@ -15,7 +15,7 @@ on:
 concurrency: terraform
 
 jobs:
-  integration_test-eks:
+  integration_test_eks:
     concurrency: terraform-account
     continue-on-error: true
 
@@ -99,7 +99,7 @@ jobs:
         run: bundle exec kitchen destroy "organizational-k8s-aws"
 
   integration_test_ecs:
-    needs: integration_test-eks
+    needs: integration_test_eks
     concurrency: terraform-account
     continue-on-error: true
 
@@ -118,20 +118,20 @@ jobs:
           ruby-version: 2.7
           bundler-cache: true
 
-      - name: Run single-account test
+      - name: Run single-account-ecs test
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ secrets.AWS_REGION }}
-        run: bundle exec kitchen test "single-account-aws"
+        run: bundle exec kitchen test "single-account-ecs-aws"
 
-      - name: Destroy single-account resources
+      - name: Destroy single-account-ecs resources
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ secrets.AWS_REGION }}
         if: ${{ failure() }}
-        run: bundle exec kitchen destroy "single-account-aws"
+        run: bundle exec kitchen destroy "single-account-ecs-aws"
 
       - name: Run organizational test
         env:
@@ -149,3 +149,38 @@ jobs:
           TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
         if: ${{ failure() }}
         run: bundle exec kitchen destroy "organizational-aws"
+
+  integration_test_app_runner:
+    needs: integration_test_ecs
+    concurrency: terraform-account
+    continue-on-error: true
+
+    name: Test-Kitchen-AppRunner
+    runs-on: ubuntu-latest
+    env:
+      TF_VAR_sysdig_secure_url: https://secure.sysdig.com
+      TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.7
+          bundler-cache: true
+
+      - name: Run single-account-apprunner test
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
+          AWS_REGION: "eu-west-1" #APPRUNNER ONLY RUNS ON SOME REGIONS https://docs.aws.amazon.com/general/latest/gr/apprunner.html
+        run: bundle exec kitchen test "single-account-apprunner-aws"
+
+      - name: Destroy single-account-apprunner resources
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
+          AWS_REGION: "eu-west-1" #APPRUNNER ONLY RUNS ON SOME REGIONS https://docs.aws.amazon.com/general/latest/gr/apprunner.html
+        if: ${{ failure() }}
+        run: bundle exec kitchen destroy "single-account-apprunner-aws"

.gitignore

@@ -42,5 +42,5 @@ override.tf.json
 
 # test
 .kitchen/*
-test/fixtures/single-account/.kitchen/
+test/fixtures/single-account-ecs/.kitchen/
 test/snippets/*

.kitchen.yml

@@ -4,6 +4,7 @@ driver:
   root_module_directory: test/fixtures
   parallelism: 4
   verify_version: false
+  command_timeout: 1200
 
 provisioner:
   name: terraform
@@ -12,9 +13,9 @@ platforms:
   - name: "aws"
 
 suites:
-  - name: single-account
+  - name: single-account-ecs
     driver:
-      root_module_directory: test/fixtures/single-account
+      root_module_directory: test/fixtures/single-account-ecs
   - name: single-account-k8s
     driver:
       root_module_directory: test/fixtures/single-account-k8s
@@ -24,3 +25,6 @@ suites:
   - name: organizational-k8s
     driver:
       root_module_directory: test/fixtures/organizational-k8s
+  - name: single-account-apprunner
+    driver:
+      root_module_directory: test/fixtures/single-account-apprunner

CONTRIBUTE.md

@@ -32,7 +32,7 @@
 
 -  [ ] **modules** (infra or services) have been modified?
   - [ ] a `README.md` file has been added to the folder
-  - [ ] if modules are relevant to usage-case understanding `diagram.py/png` have been updated accodingly
+  - [ ] if modules are relevant to usage-case understanding `diagram.py/png` have been updated accordingly. To re-generate diagrams yo need to run `python diagram.py` and need diagram installed `pip install diagrams`.
   - [ ] if pre-requirements have been modified, update accordingly on
     - [ ] README's
     - [ ] Sysdig docs

README.md

@@ -51,25 +51,37 @@ For other Cloud providers check: [GCP](https://github.com/sysdiglabs/terraform-g
 ## Usage
 
   - There are several ways to deploy this in you AWS infrastructure, gathered under **[`/examples`](./examples)**
+    - [Single Account on ECS](#--single-account-on-ecs)
+    - [Single Account on AppRunner](#--single-account-on-apprunner)
+    - [Single-Account with a pre-existing Kubernetes Cluster](#--single-account-with-a-pre-existing-kubernetes-cluster)
+    - [Organizational](#--organizational)
   - Many module,examples and use-cases provide ways to **re-use existing resources (as optionals)** in your infrastructure (cloudtrail, ecs, vpc, k8s cluster,...)
   - Find some real **use-case scenario explanations** under [`/examples-internal/use-cases*`](./examples-internal)
     - [Single Account - Existing Cloudtrail](use-cases/single-existing-cloudtrail.md)
     - [Organizational - Existing Cloudtrail, ECS, VPC, Subnet](use-cases/org-existing-cloudtrail-ecs-vpc-subnet.md)
     - [Organizational - Existing Cloudtrail withouth SNS, but with S3 configuration, with K8s Cluster and Filtered Cloudtrail Event Account](use-cases/org-s3-k8s-filtered-account.md)
 
-### - Single-Account
+### - Single-Account on ECS
 
 Sysdig workload will be deployed in the same account where user's resources will be watched.<br/>
-More info in [`./examples/single-account`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account)
+More info in [`./examples/single-account-ecs`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs)
 
-![single-account diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account/diagram-single.png)
+![single-account diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-ecs/diagram-single.png)
 
+### - Single-Account on AppRunner
+
+Sysdig workload will be deployed using AppRunner in the same account where user's resources will be watched.<br/>
+More info in [`./examples/single-account-apprunner`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-apprunner)
+
+![single-account diagram on apprunner](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-apprunner/diagram-single.png)
 
 ### - Single-Account with a pre-existing Kubernetes Cluster
 
 If you already own a Kubernetes Cluster on AWS, you can use it to deploy Sysdig Secure for Cloud, instead of default ECS cluster.<br/>
 More info in [`./examples/single-account-k8s`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-k8s)
 
+![single-account with pre-existing kubernetes cluster](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-k8s/diagram.png)
+
 ### - Organizational
 
 Using an organizational configuration Cloudtrail.<br/>

examples/organizational/README.md

@@ -26,7 +26,8 @@ Minimum requirements:
 
 3. Organizational Multi-Account Setup
     * An specific role is required, to enable Sysdig to impersonate and be able to provide
-      * For the scanning feature, the ability to pull ECR hosted images when they're allocated in a different account
+      * For scanning feature, the ability to pull ECR hosted images when they're allocated in a different account
+      * For scanning too, the ability to query the ECS tasks that are allocated in different account, in order to fetch the image to be scanned
       * A solution to resolve current limitation when accessing an S3 bucket in a different region than where it's being called from
     * By default, it uses [AWS created default role `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
       * When an account is created within an organization, AWS will create an `OrganizationAccountAccessRole` [for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
@@ -148,7 +149,7 @@ $ terraform apply
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
-| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
+| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-ecs | n/a |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
 | <a name="module_ecs_vpc"></a> [ecs\_vpc](#module\_ecs\_vpc) | ../../modules/infrastructure/ecs-vpc | n/a |

examples/organizational/main.tf

@@ -50,7 +50,7 @@ module "cloud_connector" {
   providers = {
     aws = aws.member
   }
-  source = "../../modules/services/cloud-connector"
+  source = "../../modules/services/cloud-connector-ecs"
   name   = "${var.name}-cloudconnector"
 
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name

examples/organizational/permissions.tf

@@ -18,7 +18,7 @@ module "secure_for_cloud_role" {
 # secure_for_cloud_role <-> ecs_role trust relationship
 # note:
 # - definition of a ROOT lvl secure_for_cloud_connector_ecs_tas_role to avoid cyclic dependencies
-# - duplicated in ../../modules/services/cloud-connector/ecs-service-security.tf
+# - duplicated in ../../modules/services/cloud-connector-ecs/ecs-service-security.tf
 # -----------------------------------------------------------------
 resource "aws_iam_role" "connector_ecs_task" {
   provider           = aws.member

examples/single-account-apprunner/README.md

@@ -0,0 +1,128 @@
+# Sysdig Secure for Cloud in AWS<br/>[ Example :: App Runner ]
+
+Deploy Sysdig Secure for Cloud in a single AWS account using App Runner.<br/>
+All the required resources and workloads will be run under the same account.
+
+## Prerequisites
+
+Minimum requirements:
+
+1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+1. Secure requirements, as input variable value
+    ```
+    sysdig_secure_api_token=<SECURE_API_TOKEN>
+    ```
+
+## Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore <br/><br/>
+* **AppRunner enabled zones** AppRunner isn't available in all AWS zones, check [AppRunner Service endpoints](https://docs.aws.amazon.com/general/latest/gr/apprunner.html) for enabled zones.
+
+
+## Usage
+
+For quick testing, use this snippet on your terraform files
+
+```terraform
+terraform {
+   required_providers {
+      sysdig = {
+         source  = "sysdiglabs/sysdig"
+         version = ">=0.5.33"
+      }
+   }
+}
+
+provider "sysdig" {
+   sysdig_secure_api_token = "<SYSDIG_SECURE_URL>"
+   sysdig_secure_url       = "<SYSDIG_SECURE_API_TOKEN"
+}
+
+provider "aws" {
+   region = "<AWS_REGION> Take care of AppRunner available zones: https://docs.aws.amazon.com/general/latest/gr/apprunner.html"
+}
+
+module "cloudvision_aws_apprunner_single_account" {
+   source = "sysdiglabs/secure-for-cloud/aws//examples/single-account-apprunner"
+   name   = "<APPRUNNER_SERVICE_NAME>"
+}
+```
+
+See [inputs summary](#inputs) or module module [`variables.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account/variables.tf) file for more optional configuration.
+
+To run this example you need have your [aws account profile configured in CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) and to execute:
+```terraform
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.33 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 0.5.33 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
+| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
+| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
+| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
+| <a name="module_ecs_vpc"></a> [ecs\_vpc](#module\_ecs\_vpc) | ../../modules/infrastructure/ecs-vpc | n/a |
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | ../../modules/infrastructure/resource-group | n/a |
+| <a name="module_ssm"></a> [ssm](#module\_ssm) | ../../modules/infrastructure/ssm | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [sysdig_secure_connection.current](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_connection) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
+| <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
+| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
+| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created | `string` | `"create"` | no |
+| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
+| <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created | `string` | `"create"` | no |
+| <a name="input_ecs_task_cpu"></a> [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |
+| <a name="input_ecs_task_memory"></a> [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no |
+| <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `string` | `"create"` | no |
+| <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
+| <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudtrail_sns_topic_arn"></a> [cloudtrail\_sns\_topic\_arn](#output\_cloudtrail\_sns\_topic\_arn) | ARN of cloudtrail\_sns topic |
+<!-- END_TF_DOCS -->
+
+
+## Authors
+
+Module is maintained and supported by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.